Masque Attack: iPhone and iPad users warned over bug in Apple's iOS operating system

Vulnerability could see users personal information stolen

IPhone and iPad owners are being warned to watch out for hackers who may exploit a vulnerability in Apple Inc's iOS operating system that could let them steal personal information.

The US government said there is a potential for hackers to use a newly identified technique, known as the ‘Masque Attack’, which was exposed by a network security company called FireEye Inc (FEYE.O) earlier this week.

FireEye Inc said the vulnerability behind the Masque Attack had been exploited to launch a campaign dubbed "WireLurker" and that more attacks could follow.

FireEye said the bug affects devices running on iOS7 or later.

This attack works by luring users to install an app from a source other than the iOS App Store or their organisations’ system. In order for the attack to succeed, a user must install an untrusted app, such as one delivered through a phishing link. 

Hackers can then potentially steal login credentials, access sensitive data stored on iOS devices and remotely monitor activity on those devices.

However, these attacks could be avoided if iPad and iPhone users only install apps from Apple's App Store or from their own organisations.

The government is advising users not to click ‘install’ from pop-ups when surfing the web.

If iOS flashes a warning that says "Untrusted App Developer," users should click on "Don't Trust" and immediately uninstall the app, the bulletin from the US Computer Emergency Readiness Teams added.

Apple played down the threat in a statement on Thursday and assured users they were protected by early-warning systems and built-in protections.

"We designed OS X and iOS with built-in security safeguards to help protect customers and warn them before installing potentially malicious software.

"We encourage customers to only download from trusted sources like the App Store and to pay attention to any warnings as they download apps. Enterprise users installing custom apps should install apps from their company's secure website."

Additional reporting by Reuters

Comments